Phishing takes its inspiration from the piscatorial arts, where an angler uses an attractive and perhaps even appetizing-looking or –seeming lure (well, to a fish anyway) to entice an unsuspecting denizen of the watery realm to bite onto a sharp and usually inescapable hook. Once hooked and landed, a fish becomes subject to consumption, often fried in breadcrumbs with a garnish of lemon. Phishing shares these elements in common with its watery inspiration:
- It looks like an innocuous and even legitimate e-mail message
- It seeks to get readers to provide information—often credit card, account, or access data—by responding to the e-mail, especially by clicking on an embedded link in the message
- The hook is “set” when a reader responds, even if only to click the link, because this can result in background download of malicious software that will record and eventually upload information from the user’s computer
Security experts usually label phishing as a form of “social engineering,” which is a term that describes a battery of techniques designed to get hapless, unsuspecting, or untrained users to provide information about themselves, their accounts, their networks and systems, or other things of potential interest to thieves and malefactors so that it can be exploited. Ultimately, the aim is to steal something of value: often this comes down to financial losses, though it can also result in losses of intellectual property, damage to reputations and credit or credibility.
The “lure” in a phishing attack appears in two parts. First, the initial e-mail message is supposed to be designed to look as legitimate and ordinary as possible, and to provide some kind of provocation or incentive to impel its readers to act on its content (preferably, by clicking the embedded link). Second, the website to which users are directed is designed to look as much like the actual, legitimate site it imitates as technology will allow. The whole experience is calculated to set off no alarms, and to make users think they’re doing something good, prudent, or necessary by responding to its claims.
For more definitions and descriptions of phishing, you’ll find these sources very helpful:
In Part 2 of this Phishing Primer (to be posted here within the next week), you’ll learn tell-tale signs of phishing, and how to avoid getting hooked. Stay tuned!
